Researchers at Obsidian Security published details of a three-CVE attack chain that allows any low-privilege account holder on a LiteLLM proxy to escalate to full administrator access and execute arbitrary code on the server. The chain carries a combined CVSS score of 9.9 and was patched in LiteLLM v1.83.14-stable ahead of the June 15, 2026, public disclosure — but deployments upgraded only to v1.83.7 through v1.83.13 to address the separate CVE-2026-42271 command-injection flaw remain fully exposed.
The Three-CVE Attack Chain Disclosed by Obsidian Security
LiteLLM is an open-source AI API gateway used by enterprises to route calls to multiple LLM providers — including OpenAI, Anthropic, Google, and Azure OpenAI — through a single proxy. Because the gateway holds API credentials for every configured provider simultaneously, a server compromise yields the attacker access to all managed AI provider keys in one operation.
CVE-2026-47101: Wildcard Route Bypass Grants Admin Access from Any Low-Privilege Account
The entry point in the chain is an authorization bypass in LiteLLM’s self-service API key generation endpoint. Users on LiteLLM instances can generate their own API keys to interact with the proxy. The application allows key holders to specify an allowed_routes parameter controlling which endpoints the key can reach.
A low-privilege user can set allowed_routes: ["/*"] — a wildcard value the application fails to reject — producing a self-issued key with access to every API route on the proxy, including admin-only management endpoints. No administrator interaction is required; any valid user account on the instance is sufficient to execute the bypass.
CVE-2026-40217: Exec() Injection in Custom Code Guardrail Executes Attacker Code as Root
With admin access obtained through CVE-2026-47101, the second vulnerability becomes reachable. LiteLLM’s Custom Code Guardrail feature lets administrators write Python-based filtering logic that the proxy applies to incoming requests. The production endpoint processing guardrail submissions passes the code directly to Python’s built-in exec() function with no source-level input filtering.
An attacker can submit a crafted guardrail payload containing an os.system() call. The proxy executes it, spawning a reverse shell running under the process’s operating-system privileges. Obsidian also identified a third vulnerability — a host-header validation bypass in Starlette, the ASGI web framework underlying LiteLLM — that in certain deployment configurations enables external triggering of the full chain without a low-privilege starting account.
Organizations Patched for CVE-2026-42271 Remain Exposed Until v1.83.14-stable
LiteLLM patched CVE-2026-42271, a command-injection flaw in its MCP server test endpoints discovered by Horizon3.ai, in v1.83.7. Operators who upgraded to address CVE-2026-42271 but stopped at any version between v1.83.7 and v1.83.13 have not received the Obsidian chain fixes. The full remediation for CVE-2026-47101, CVE-2026-40217, and the Starlette BadHost vulnerability is incorporated only in v1.83.14-stable, released ahead of the June 15 public disclosure following Obsidian’s responsible disclosure to BerriAI.
The two vulnerability sets affect different code paths. CVE-2026-42271 targeted MCP server test endpoints; the Obsidian chain targets the key generation endpoint, the Custom Code Guardrail execution path, and the Starlette host-validation layer. The June 9 patch provides no protection against the Obsidian chain.
How a Single LiteLLM Compromise Exposes All Managed AI Provider Keys
The business impact of a successful exploit extends beyond the compromised server. LiteLLM centralizes AI API credentials across provider accounts; a proxy in a typical enterprise deployment holds keys for multiple providers simultaneously. An attacker who achieves code execution on the proxy gains access to all of those credentials at once.
According to Obsidian, the practical consequences include cost fraud at scale against provider accounts, exfiltration of every prompt and response routed through the gateway — which may include sensitive business or customer data — and potential lateral movement to downstream systems that trust requests originating from the proxy. The entry requirement is low: a standard developer or contractor account on the LiteLLM instance is sufficient to initiate the chain through CVE-2026-47101.
Administrators running LiteLLM should upgrade to v1.83.14-stable. Obsidian’s disclosure includes technical details and CVSS breakdowns for each vulnerability in the chain.
